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Continuous Certification and 
Accreditation (C&A) 

Frequently Asked Questions 

(FAQs) 



Restructuring the NIST steps 

The existing C&A approach is already too expensive. Won't 
doing C&A more often be impossible to afford? 

• First, using automation to the maximum extent possible reduces costs. 

• You may be surprised to find that that network operations already has 
sensors in place to gather much of the data you need 

• The attackers are automated; with manual methods, we can't compete 
effectively 

• With Automation, we will be able to provide more targeted, timely, and 
prioritized information and have it done at a minimal cost 

• Using one automated process to cover "all" systems leverages 
economies of scale. 

• We need a Federal schedule with a range of tools to reduce seat costs. 

• Bottom Line: We believe that we can achieve continuous monitoring 
without increasing overall costs, by better use of budget currently 
allocated to C&A. 

How can another approach make C&A actually relevant to 
daily network and security operations? 



• In the traditional C&A approach, the analysis is often out of date by 
the time the C&A Reports are printed and bond. 

• Daily changes to the network and application configuration makes this 
inevitable. 

• Newly emerging attacks/threats make this even worse. 

• The automated approach 

• identifies security risks in a timely manner; 

• prioritizes issues based on risk to the enterprise; and 

• provides targeted information to the system owner, ISSO, and 
executive management communities. 

• Bottom line: We need timely, targeted, and prioritized information to 
drive security. Without it, we are driving "in the rear-view mirror". 

NIST has just revised 800-37. Why are we proposing another 
way to view this process? 

• The adversary is using automated means to attack us 

• There are hundreds of thousands of attacks per day, many zero-day 

• Our systems and networks are in continuous change 

• We cannot keep up with these changes using paper based reports, and 
manual testing. 

• With NIST 800-37 Revl, there is more emphasis on continuous 
monitoring 

• The revised process emphasizes continuous monitoring 

• This alternate view just reinforces the direction NIST is already going. 

• We need this continuous monitoring to help operational staff find the 
right risks to focus on, day-to-day. 

• Bottom Line: This new process is necessary to provide timely, 
targeted, and prioritized information to help operational staff to 
prioritize their "security" work on a daily basis. 

Why is a traditional lifecycle approach not enough? 

• China is often mentioned in the press as a key source of attacks 

• Consider them as one example. 

• The security workforce in the US is outnumbered by even Chinese 
"hackers". 

• The Chinese attacks are highly automated, while 800-37, as currently 
implemented in manual. 

• The Chinese attacks are changing daily, while our defenses are not. 

• Now consider that China is just one source of such attacks, and the 
problem is many times worse. 

• Bottom Line: We cannot succeed in defending our information with 
available workforce, using the manual approaches we currently use 



• It simply will not work. 

NIST SP 800-37 rev 1 states that the C&A process should be 
closely linked to the SDLC. How will this be accomplished 
with this process? 

• Security should be built in at the beginning and not the end of the 
SDLC 

• But, even when this happens, new attacks and new threats will require 
us to continuously adapt. 

• There is no known way to fix all security problems Up front Once and 
for all. 

• Still, we can practice continuous testing in the development and 
maintenance environments, not just in production 

• This will tell us whether the emerging systems are getting more 
secure. 

• Bottom Line: Staying secure requires "eternal vigilance" 

• This includes up-front, in the middle, and at the end of the SDLC. 

Does this process totally replace the traditional C&A process? 

• The process we are outlining is designed to meet and exceed the 
standards of the traditional C&A process. 

• Automated, near-real-time continuous monitoring fulfills requirements 
for step 4 (Certification) and step 6 (monitoring) 

• It is the "sensory" part of the system. 

• The rest of the system is designed to support (dynamically): 

• Categorization (Step 1) 

• Control Selection and security planning (Step 2) 

• Daily improvements to control implementation (Step 3) 

• (Continuous) re-authorization decisions (Step 5). 

• These parts of the system provide the nervous system to use the 
sensory data to drive action from senior executives down to systems 
administrators, as needed. 

• Bottom Line: This approach doesn't substitute something else for the 
traditional C&A process Rather it fulfills all those requirements, and 
exceeds them by doing it in near-real-time. 

SCAP 

What is SCAP (Security Content Automation Protocol)? 



• SCAP (pronounced S-CAP)is a synthesis of interoperable security 
automation specifications derived from interested parties from 
industry, research and educational institutions, and government 

• SCAP specifications include languages, enumerations, and metrics. 

• For details, refer to: 

1) NIST SP 800-117, DRAFT Guide to Adopting and Using the Security 
Content Automation Protocol (SCAP) and NIST SP 800-126 

2) The Technical Specification for the Security Content Automation 
Protocol (SCAP): SCAP Version 1.0 for specific details on SCAP 3) NIST 
IR 7511 Revl, DRAFT Security Content Automation Protocol (SCAP) 
Version 1.0 Validation Program Test Requirements 

• Please visit scap.nist.gov, for information about both existing SCAP 
specifications and emerging specifications relevant to NIST's security 
automation agenda. 

• Bottom line: Many different security activities and disciplines can 
benefit from standardized expression and reporting 

• SCAP will improve security in the areas of compliance, remediation, 
and network monitoring 

Why is SCAP a key part of continuous C&A? 

• 1) SCAP provides standard language for how to conduct tests 

• This allows the same SCAP modules to "program" various tools to do 
the same test. 

• This, in turn, make the Risk Scoring capability tool-independent 

• 2) Standardized SCAP content is being developed at the federal level 
and provided to the agencies for their use 

• This provides a library of predefined "Best-Practice" tests that all 
agencies can share. 

• 3) SCAP test specifications can map the test to various other standards 
"implemented" by the test. 

• This data enables you to compute what part of any given standard is 
"covered", and what must be done manually (or with other automated 
tests). 

• 4) A standard language to express test results. 

• If the dashboard is built to read this SCAP-compliant output, then it 
can receive data from any (or all) of these tools, without special 
programming. 

• Bottom line: SCAP Supports 1) Tool independent ways to specify "what 
to test", 2) A library of shareable tests, 3) Linkage to Standards like 

NIST 800-53A, and 4) A standard way to send output to dashboards. 



Can we use SCAP for everything? 

• Automated Tests: Yes 

• SCAP was originally developed to automate compliance checks, tests 
for vulnerabilities, etc 

• SCAP of this kind can be automated by security tools of various sorts. 

• Manual Tests: Yes 

• There will be some tests that are not automated 

• SCAP can still be used to express these tests 

• This has the following advantages. 

• All tests are expressed in the same "language". 

• This still links these manual tests to other standards (such as NIST SP 
800-53A) 

• Advantages: When SCAP is used to express all tests, it also becomes 
the primary way to express policy 

• An SCAP parser can be used to provide a human interface to read the 
"policy" in plain English. 

• Bottom Line: Yes 

• And it has several advantages over "text". 
What will be put into SCAP first? 

• The answer to this can vary, agency to agency, as each selects the 
right path for its own needs. 

• The plan at the Department of State is as follows 

• 1) Test for as many Vulnerabilities from the National Vulnerability DB 
as possible. 

• 2) Automate all configuration guides relevant to C&A . 

• 3) Add system specific controls. 

• Bottom Line: Get started and get finished. 

Who will put tests into SCAP? 

• This will vary, from agency to agency, depending on their priorities 

• At State, there is a partnership between three groups: 

• The in-house group that currently automates checks will take the lead, 
and begin to move content into full SCAP presentation, not just XCDEF 

• NSA -will help identify checks we have already adopted from STIGS 
and other guidance 

• NSA will also add new contents to its federal repository for SCAP tests. 
. NIST-State is working with NIST to get 800-53A mapping into SCAP 

related to vulnerabilities. 

• Contractors -will be added to the workforce as needed, for the surge 
in SCAP writing that is needed to get started. 



• Bottom Line: A partnership of several kinds of resources is probably 
needed to achieve this 

• There is also no reason for each agency to "reinvent the wheel". 

How will tests be put into SCAP? 

• Each agency may want a slightly different strategy. 

• State will reuse as much existing SCAP as possible. 

• In the short run, State may simply write the part that implements the 
test in extensible Configuration Checklist Description Format (XCCDF) 

• This is faster than writing full SCAP. 

• In the medium term, State prefers to have it coded in full SCAP. 

• Time and funding will determine when we can achieve full SCAP 
content. 

• NSA provides SCAP editors to all federal agencies, which may facilitate 
writing SCAP 

• State is currently evaluating which tools make SCAP writing most 
efficient. 

• Bottom Line: There are ways to phase in the transition 

• Get started and get finished. 

How will using SCAP change policy manuals and 
configuration guides at State? 

• State policy manuals and configuration guides are currently written in 
text 

• Format varies widely 

• They are often in PDF. 

• This makes the guidance hard to automate 

• It is also expensive to produce, hard to read, and out of date. 

• Whether policy is tested is not automatic. 

• In the future, State plans to put guides into a SCAP database 

• SCAP will map the configuration checks back to STIGs, 800-53a, 
FISCAM, and help us reuse SCAP configuration checks from other 
sources that have been already coded. 

• Textual configuration guides will be created by running a tool called 
parser on the SCAP content to create a human-readable document. 

• It is expected that SCAP will become the authoritative source for 
expression of the policy. 

• Bottom Line: SCAP will become the primary source for policy (enabling 
automation), and human readable documents will be "computed" from 
the SCAP. 



NIST Compliance 

How does continuous C&A impact the three year 
reauthorization requirement? 

• Reauthorization every three years may still be required, but 
recertification data will already be collected. 

• Because the system is tested continuously, one can see a timeline of 
risk levels for the system. 

• At (re-)authorization time, the DAA can see the history of the system's 
risk levels over the past X years. 

• This timeline of risk is more useful than a point-in-time list of 
weaknesses that may be out of date tomorrow. 

• There will be little delay in reauthorization, because certification will be 
done. 

• Bottom Line: The three year reauthorization requirement remains, but 
becomes very easy to meet (since certification will be already done) 

• Thus reauthorization can be done with minimal extra cost and no 
testing delays. 

Does continuous C&A change any of the documentation 
requirements? 

• It does NOT change what must be documented. 

• We must meet or exceed the NIST/OMB documentation requirements. 

• It DOES change the way we document. 

• Policy is documented in SCAP 

• Narrative policy can be computed from the SCAP. 

• Tests are driven by the same SCAP. 

• They are thus always in sync. 

• The summary risk scores will provide a better way to summarize test 
results (for both C&A and annual testing. 

• For example, a timeline of risk scores over 1-3 years summarizes 
these results. 

• By expressing the SSP controls in SCAP, we can make their data 
available to compare to scan results 

• For example, if approved DB links are listed in the SCAP, any other 
links found are suspect. 

• Bottom Line: We will meet or exceed the existing documentation 
requirements. 

How will security control enhancements be handled? 



• BottomLine: Allsecurity controls and security control enhancements 
will be expressed in SCAP. 

How does the dashboard support the POA&M process? 

• The POA&M process tracks a list of discovered weaknesses to be fixed. 

• So does the dashboard. 

• The dashboard also provides the following things required by POA&M 

o Prioritization 

o Summary Reporting to System Owners and other seniors" 
o Removal of the "risk" when fixed and verified, 
o Verification of remediation. 

• Because the dashboard is focused at such a detailed level, some 
aspects of the POA&M process are best done at the system level, 
focusing on reducing the risk score: 

o Budgeting for security 

o Deadlines for reaching lower risk levels, not for fixing specific 
items. 

o Users don't close items 

o They disappear when the monitoring shows they are fixed. 

• Bottom Line: The Dashboard supports a full POA&M equivalent for 
whatever risks it tracks 

• It does some things a little differently, but it meets the intent 

• No separate tracking system is needed for these risks. 

Will continuous C&A identify all significant changes? 

• Bottom Line: Very unlikely 

• You still need a process to identify planned changes. 

Why are NISTSP 800-37 Rev .1 steps 4 & 6 in the same box 
when NIST has them as separate steps? 

• NIST focuses primarily on the first time a system goes through C&A. 

• Step 4 is the initial C&A certification 

• Step 6 is the testing that occurs between C&A cycles. 

• Today most systems have been C&Aed once already 

• They spend most of their time in the continuous monitoring phase 

• We agree with NIST that we need to focus more on continuous 
monitoring. 

• In the continuous monitoring centric view of the process Step 4 is just 
a special case of step 6. 

• They really are the same. 



• Bottom Line: If you focus on continuous monitoring, there is no need 
to do anything EXTRA for: 

o Annual Testing 

o Re-Certification every three years. 

• It's already done by continuous monitoring. 

How do we test for policy? 

• NIST SP 800-53A has many steps that test to see whether "policy" is 
in place 

• We have all tended to assume that policy is narrative text, and must 
be checked manually. 

. NOT! ! As noted in the FAQs on SCAP: 

• SCAP-expressed configuration guides and checklists (not text) will 
become the expression of the policy. 

• This SCAP "policy" can directly identify the tests to do to verify 
compliance. 

• IF these tests are performed regularly, with results provide to those 
who need to act on findings, 

• THEN The existence of the SCAP and testing results proves: 

• That we have policy 

• That we are testing it. 

• That we are acting on the results. 

• Bottom Line: By testing whether SCAP-expressed policy is being 
followed, we verify that we have the policy 

• This can be automated 

• By testing for compliance we test for policy. 

What if NIST SP 800-53A says we have to 
interview/examine? 

• NIST SP 800-53A identifies three modes of "verification" of controls: 

• Interview (least reliable and hard to automate) 

• Examine documents (still hard to automate) 

• Test (most reliable and easiest to automate) 

• For each test step NIST suggests which to use 

• This suggestion is based on what NIST thought might be the minimally 
acceptable standard. 

• NIST does not mandate use of specific assessment methods as long as 
the method used meets or exceeds the intent of NIST guidance 

• Bottom Line: We can use automated testing (which is the most 
reliable) and this will always meet or exceed NIST guidelines (even 

when interviews or examinations are allowed). 



Will there be times when security control assessments will 
be done using the NISTSP 800-53A test steps? 

• Yes, All the time 

• Federal agencies are required to include 800-53A test steps. 

• Our plan is to meet or exceed the existing requirements, thus our plan 
is to cover all NIST SP 800-53A test steps. 

• To do this, having SCAP that maps all the tests to NIST SP 800-53A is 
vital. 

• Because we will be scoring risk, we will be assigning risk points to each 
of the NIST SP 800-53controls and the corresponding NIST SP 800- 
53A test steps. 

• That means we can focus more testing and remediation on the most 
important NIST SP 800-53A test steps. 

• Bottom Line: Yes, with more attention given to the more "important" 
test steps. 

Concept of Operations 

How will we test controls where the testing cannot be 
automated? 

• Controls to be tested manually can still be recorded in SCAP 
. TheSCAP will 

• link each test to 800-53A and other standards. 

• Specify that testing is manual. 

• Specify (in text) how the control is to be implemented. 

• Specify (in text) how the test is to be done. 

. (Maybe NIST will start issuing 800-53A in SCAP?) 

• Specify how risk is to be computed when the control fails. 

• For these manual tests we can use a risk-weighted random sample to 
guide daily testing of a few controls, with results entered manually into 
the dashboard DB. 

• We will let the system owner do these routinely. 

• The system owner can record items that are fixed 

• Periodically, we will independently verify the reliability of the system 
owner's tests. 

• Bottom Line: Manual tests can be integrated into the dashboard with a 
level of continuous testing to provide one holistic approach to testing 

and reporting risk 



How will continuous C&A be applied to systems not 
connected to the network? 

• For systems, not on the network, we will request the network owner to 
provide equivalent information back in SCAP format 

• For stand-alone systems, a risk assessment will determine the 
appropriate steps to be taken 

• The risk assessments may drive possible exception to the continuous 
monitoring process. 

• Bottom Line: In most cases, over time, some kind of continuous 
monitoring will be set up, with only a few exceptions. 

How will false positive findings be handled by continuous 
C&A to ensure accurate risk score? 

• State has defined a standard "exception handling process" that 
addresses false positives: 

• Currently the Site/System Owner can submit a scan exception to IA, 

• IA will work with those conducting scanning to objectively determine 
the accuracy of the false/positive claim. 

• If the false positive claim is generally valid, exceptions will be provided 
to prevent scoring UNTIL the test is fixed. 

• Once the test is reliable, the exception will be removed and scoring will 
resume. 

• Bottom Line: Using the established exception management process. 
How does the dashboard assist categorization? 

• To do this we need Data Linkage Project (DLP) sensors to identify PII 
and other sensitive data. 

• When such data is found, it can be compared to the declared kinds of 
data in a system. 

• If these do not match, the re-categorization analysis is needed. 

• Bottom Line: By finding data types that weren't declared in the current 
categorization it identifies when re-categorization is needed. 

How does the dashboard guide control implementation? 

• The monitoring system finds weaknesses that need to be fixed 

• These include (but are not limited to): 

• Un-remediated vulnerabilities. 

• Controls/Configurations that do not meet the acceptable state. 



• These finding are prioritized and presented to system administrators in 
a timely manner for remediation. 

• Bottom Line: The grades and scores help IT workers focus on fixing 
the largest existing weaknesses, and continuously improving security 

• This is the main benefit of the continuous process. 

How does the SSP inform what to test in the dashboard? 

• Everything that is a control should be expressed in SCAP 

• This is true for controls to be tested via automation or manually. 

• We will move in this direction over time. 

• A narrative version of the SSP control scan be generated from the 
SCAP, but the SCAP will be the PRIMARY expression of the control. 

• Controls to be tested by a tool can be implemented by sending their 
SCAP to the tool. 

• Controls to be tested manually will be sampled, with a few tested each 
day, and with results reported to the dashboard. 

• Bottom Line: The SSP (thru SCAP) directly drives the controls to be 
tested. 

How does the dashboard identify significant changes? 

• The dashboard identifies 

• Controls that are not working; 

• Changes in the categorization (DLP); 
. Changes in SW/HW . 

• Significant increases in risk scores 

• Risk scores exceeding DAA defined triggers. 

• Any and all of these could contribute to the need for a significant 
change analysis. 

• Bottom Line: Risk triggers defines at authorization time will be a 
primary means to identify significant change, but other changes may 
also trigger change analysis. 

How does the dashboard notify system owners of significant 
changes in near real time? 

• With tests conducted every 3-15 days, system owners will be notified 
of any changes to their system based on predetermined threshold 
limits 

Why is near real time testing so valuable? 



• New attacks are occurring rapidly 

• Configurations change daily. 

• If we cannot respond fast enough, security will not survive 

• The old process does not allow us to respond in time to prevent 
breaches. 

• Bottom Line: To respond to real world attacks that happen in real 
time. 

How does continuous C&A support the DAA decision? 

• All controls are scored across the system, comparable score from one 
system to another 

• The DAA can define a risk threshold(s) to trigger automatic reviews to 
decide the need to 

• Re-plan security when risk begins rising. 

• Suspend operations when risk reaches exceptional levels. 

• The DAA can also review detailed reports (historical timelines, detailed 
weaknesses, etc) to decide whether risk scoring is performing as 
expected. 

• The DAA can review narrative information for the threat and situational 
awareness teams. 

• Bottom Line: The system can provide the DAA a number of 
mechanisms to assess risk and support authorization decisions. 

How can a near real-time DAA process work? Will that 
overburden the DAA? 

• The DAA will set risk triggers at CAA time. 

• While actual risk will be compared to these triggers daily, the DAA will 
only be involved when one of the triggers fires. 

• When the DAA does have to make a decision, there will be less 
narrative to read and more history graphs to show trending, allowing 
the DAA to make appropriate decisions to thwart the attackers. 

• (Clearly the DAA can look at the data more often, if desired) 

• Bottom Line: The monitoring system will not over burden the DAA 

• Rather it will provide information targeted to the DAA's needs, to get 
the DAA involved if and only if needed. 

How can DAA triggers be set? 

• Scores will be based on a risk analysis model validated by NSA, 
considering Threat, vulnerability and impact to compute risk. 



• Over time, an agency will develop guidelines on levels of risk that are 
acceptable, given the categorization of a system. 

• A DAA may want to accept less risk, but will not be allowed to accept 
more risk than these minimal standards. 

• This provides institutional and system level risk triggers to provide 
adequate protection. 

• Bottom Line: Using objectives measures of risk and triggers that are 
comparable across systems, adjusted for the sensitivity of the 
information to be protected. 

How is the significant change process related to DAA 
decisions? 

• Bottom Line: A significant change will require re-planning in certain 
areas to maintain a score below the predetermined threshold. 

How will near real time data find problems before they go 
red? 

• Before systems go red, they will normally be in the "yellow" risk zone, 
requiring re-planning and reimplementation of controls (remediation of 
weaknesses). 

• Almost all system owners will take a yellow alert seriously and take 
necessary action to avoid going into the red (do not operate) zone. 

• Before systems go yellow, system staff will still know the main risks to 
work on to protect the system 

• If these are addressed daily, the system will likely never go yellow. 

• Bottom Line: By addressing problems as the emerge, continuously 
working to manage (reduce) risk. 

How will this kind of monitoring keep us out of the news? 

• Nothing can guarantee that some event won't appear in the news. 

• Still, by finding unallowable control states and persistently fixing them 
in a timely manner, we will minimize this risk. 

• Threat analysis and situational analysis will also help the agency 
address systemic risks. 

• Importantly, if a threat does materialize, being able to show that all 
reasonable measures were being taken to prevent such losses will 
mitigate the political impact. 

• Bottom Line: By persistently working to reduce risk on a daily basis. 

FISMA Compliance 



How will continuous C&A support FISMA reporting? 

• Annual Tests: Routine risk score trend lines provide an excellent 
summary of annual test status that is more useful that a one-time 
snapshot. 

• Certification: The same risk score trend lines with detailed weakness 
reports support certification documentation requirements. 

• POA&M: The list of current weaknesses meets many POA&M tracking 
requirements. 

• OMB Dashboard: The OMB is developing a FISMA metrics dashboard 

• Eventually the agency continuous monitoring dashboards could feed 
the OMB dashboard. 

• OIG Data Calls: The OIG at State tends to like the dashboard because 
it gives them detailed insight into inventory and weaknesses 

• It also shows the extent to which risk is being managed. 

• Bottom Line: The dashboard can significantly enhance FISMA 
reporting. 

Will continuous C&A be of use when responding to other 
external audits? 

• Auditor Data Calls: Giving auditors access to the dashboard will answer 
a large range of info security related data calls, with minimal effort. 

• Implementing Auditor Recommendations: Controls can be added by 
writing SCAP and beginning routine testing of implementation. 

• Closing Recommendations: When monitoring shows that the controls 
are working and that the weakness has been remediated, there will be 
good documentation to close the recommendation. 

• Bottom Line: The continuous monitoring process contributes in several 
ways to support external auditors and closing recommendations. 

Will continuous C&A meet or exceed FISMA and NIST 
requirements? 

• Bottom Line: Yes, it will meet or exceed FISMA and NIST 
requirements. 

Benefits & Cost 

How resource intensive will continuous C&A be? 

• We expect to be able to implement continuous C&A using the funds 
already being spent on C&A. 



• To do this, one shifts resources from expensive, manual, one-time 
tests, and invests it in systems and tools to feed the dashboard and do 
continuous C&A. 

• Allowable states are defined in the SCAP/SSP 

• We put the sensors in place to detect unallowable states, 

• Then put resources to fix the problem in a timely manner 

• Bottom Line: Continuous C&A will significantly improve security across 
the network for the same amount of money 

How will continuous C&A deter the insider threat? 

• Threat analysis will identify controls needed to deal with insider threat 

• These controls will be put into SCAP and tested across the network 

• Bad actors will be addressed through audit logs, separation of duties 
and other requirements in 800-53 

• For example, to prevent unauthorized viewing of passport information, 
a sys admin will assign a team member permission for access to X for 
a specified amount of time (Z). 

• Bottom Line: This will work much the same way as we deal with 
external threats. 

Will continuous C&A really keep the Department's 
information secure? 

• Which will keep data safer: 

• Testing every 365 days and fixing problems found? 

• Testing every 3 

• 65 days and fixing problems found? 

• Experience in pilots shows that implementing just continuous 
monitoring results in huge rapid risk reductions. 

• Notwithstanding the improvement, there will always be new threats 
and there is never any total guarantee of security 

• Bottom Line: It is hard to imagine that testing and fixing problems 
more often would make things worse. 

Threat & Situational Analysis 

Why are we proposing to add new processes to the NIST 
model? 



• We added processes to the 800-37 model to look at the environment 
of the information system: 

• Threat Analysis 

• Situational Analysis 

• Under draft risk analysis guidelines, NIST is proposing that C&A must 
consider environment risk at several levels, up to the enterprise level. 

• We agree with NIST and think 1) this component can be added now, 
and 2) doing so will provide much more sensitive risk scores to focus 
remediation efforts on the most important threats. 

• Bottom Line: to focus remediation efforts on the most important 
threats. 

How does adding threat and situational analysis actually 
improve operational efficiency? 

• We added processes to the 800-37 model to look at the environment 
of the information system: 

• Threat Analysis 

• Situational Analysis 

• Adding these allows us to adjust risk scores to focus efforts on the 
most important risks. 

• This increases the cost effectiveness of operational work because we 
get the most benefit for whatever effort is expended. 

• Bottom Line: To focus remediation efforts on the most important 
threats, which increases operational efficiency. 

Do the "new" processes actually make the process more 
NIST compliant? 

• We added processes to the 800-37 model to look at the environment 
of the information system: 

• Threat Analysis 

• Situational Analysis 

• Bottom Line: Yes, this increases NIST compliance because it addresses 
emerging requirements to look at environmental risk. 

How will threat and situational analysis data be used by the 
DAAs and system owners? 



• DAA decisions have often been driven by a simple need to comply with 
800-53 requirements. 

• Frankly, many system owners and/or DAAs may not see much value in 
compliance. 

• Adding the threat and situational awareness data will 

• animate the need for good security by providing concrete, tangible 
examples of how attacks have (or might) occur. 

• Provide better risk scores to focus the DAA and System Owner on the 
most important risks. 

• Bottom Line: This data will help people see why security is needed. 

How will threat and situational analysis data be used by the 
dashboard? 

• Bottom Line: These analyses will be used to decide how to tweak risk 
scores based on 

• Threats that are likely to occur, 

• The interaction of weaknesses that allow successful attacks. 

How will threat and situational analysis data be used by 
network operations staff? 

• In ALL cases, this data will result in adjusted risk scores 

• Operational staff will use those scores to prioritize their work 

• They may (or may not) know why the scores were adjusted. Knowing 
"why" isn't really necessary. 

• In SOME cases, the reasons for score adjustments will be 
communicated to network operations staff to animate interest in 
security 

• In OTHER cases, the reasons may be too sensitive to do this. 

• Bottom Line: Operational staff will use resulting risk scores to prioritize 
their work. 

Some narrative explanation will be used to help them see the need for 
better security. 



